Persistence via Hidden Run Key Detectededit

Identifies a persistence mechanism that utilizes the NtSetValueKey native API to create a hidden (null terminated) registry key. An adversary may use this method to hide from system utilities such as the Registry Editor (regedit).

Rule type: eql

Rule indices:

  • winlogbeat-*
  • logs-windows.*

Severity: high

Risk score: 73

Runs every: 5m

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100



  • Elastic
  • Host
  • Windows
  • Threat Detection
  • Persistence

Version: 4

Rule authors:

  • Elastic

Rule license: Elastic License v2

Rule queryedit

/* Registry Path ends with backslash */
registry where /* length( > 0 and */
 registry.path : ("HKEY_USERS\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\",